The General Data Protection Regulation is set to build on what is already in place in terms of the Data Protection Directive.
1. An increase in fines of up to £20,000,000.
2. Breaches must be reported within 72 hours
3. No charge for subject access requests, and the response time has been reduced to 28 days
4. Robust documentation will be needed within companies to explain how they process their data. Process mapping: what, where, who.
5. Where companies process a large amount of data, a data protection officer will be required.
What is a Breach?
A breach is described as an accidental or unlawful destruction, loss, altercation or unauthorised disclosure or access to data.
Examples of Breaches:
1. Unauthorised access by a third party
2. Deliberate action/inaction by controller
3. Sending data to an incorrect recipient
4. Computing devices lost or stolen
5. Alteration of data
6. Data availability (archive)
For more information on the Information Commissioners Office (ico.) data security breach trends:
All breaches need to be reported to the ICO within 72 hours, or for larger companies, your data protection officer in the first instance. This does not reduce the 72 hour window if a data protection officer is in place, so time must be allowed for this individual to process the information, and send to the ICO within this 72 hour time frame. You must report ALL data protection breaches.
Reduce the Risk
Reception area’s: What is on display?
Visitors to your offices:
· Challenge the purpose of the visit and ensure their access to company data is restricted to the purpose they are there.
· Ask all visitors to sign into the office and ask for professional identification.
· All team members should be empowered to challenge visitors.
· What is on display?
· Are confidential files such as personnel files in a locked cabinet.
· Operate a ‘clear desk policy’.
· Are offices locked when unattended.
Computer screens: Ensure your staff know the importance of locking computer screens when they leave their desks unattended.
· Ensure security and monitoring systems prevent information being sent to home email address.
· Implement a secure central access point or hyperlink that will reduce the need to duplicate documentation as attachments.
· Password protect documents to ensure security if sent to the wrong recipient.
· Remove any personal identifiable data that is not required.
Mobile technology devices:
· Ensure these are password protected and report any loss immediately.
· Ensure regular password changes, at least 6 weekly.
· Save confidential information on a secure shared location, and not on the device itself.
· Owners of mobile technology must ensure that when not on their person, they are locked away.
Electronic storage: Paper information poses the biggest risk in terms of data protection breaches. Cleanse your paper data and look at secure digital storage solutions.
· Is data available?
· Is there an adequate tracking system?
· Observe retention periods and securely destroy anything older.
Confidential waste: Are adequate shredding facilities available, or is confidential waste outsourced to a reputable external provider.
· Check that all equipment is access locked.
· Ensure there are no fax machines, or photocopiers with fax facility in public access areas.
· Reduce the data, if it cannot be accessed it is better to destroy it. Large amounts of stored paper form data that cannot be accessed will be considered a breach.
Training: Ensure key staff have access to Information Governance training.
Verbal transfer of data: Ensure there is a system or process in place to document conversations that data share, including those conducted by telephone or on conference facilities.